Skype Knew of Security Flaw Since November 2010, Researchers say

Reporter

Skype was told a year and a half ago about a security flaw that allows for the location tracking of customers, but left it unfixed, the security researchers who first discovered the vulnerability told CIO Journal.

The flaw, which allows hackers to secretly track IP addresses, should be of interest to CIOs. Skype, which is now owned by Microsoft, said last year about 37% of its 663 million community members use the “Skype product platform occasionally or often for business-related purposes.”

Paul Sakuma/AP Photo

While the Internet voice and video calling application is not widely supported by corporations, many CIOs are under increasing pressure to allow such consumer technology into the company. The inability of Skype to fix the flaw may give some CIOs pause.

Researchers from Inria, a research institute in France, and the Polytechnic Institute of New York University, shared their original findings on the Skype vulnerability in November 2010, the team’s leader Stevens Le Blond told CIO Journal in a phone call on Tuesday. Their research, which was published in October 2011, showed the team was able to surreptitiously track the city-level location of 10,000 Skype users for two weeks. Last week, Le Blond re-tested his research and found Skype still had not fixed the vulnerability, he said.

When asked about the security flaw, Skype sent CIO Journal a statement stating the company was “investigating reports of a new tool,” used to capture IP addresses. Skype and Microsoft declined to comment further.

“By calling it a ‘new tool’ it means they don’t have to respond as urgently,” Le Blond said. “It makes it seem like they just found out.”

The team discovered they could mask brief calls to Skype users, preventing pop-up notifications and call histories that would identify them from appearing on the recipient’s computer or device. The recipients didn’t know that they had been called, and didn’t have to answer the call in order to be identified.

After the call, researchers could obtain the user’s IP address from packets of information automatically sent to the caller from the receiving end. By repeating the process every hour, they could map how users moved between cities.

Le Blond said the same technique could be used for mobile devices that have Skype as an app, though with less accuracy.

IP addresses are numbers assigned to each device using the Internet, and help networks identify users. But the number itself allows hackers to easily track users to a city or to a specific company. And recent research shows that it’s possible to track people within 700 yards by studying their IP addresses.

The researchers say the vulnerability could allow corporate rivals to track the movement of individuals from a company, as they travel between cities and states.

“You can scale this to track tens of thousands of employees,” said Keith Ross, a researcher from the Polytechnic Institute who worked on the 2011 paper, “and determine their strategy and who they’re trying to do business with.”

Le Blond also said the flaw could be used as a first step for hacking into the computer of an executive. “The IP address is a prerequisite–once you have that you can get to the next steps,” said Le Blond who now works at the Max Planck Institute for Software Systems.

Most companies don’t explicitly endorse Skype which remains primarily a consumer product, said Lawrence Orans from Gartner, a technology research firm. Gartner has long dissuaded companies from deploying Skype because of other security and integration issues. “It’s something companies will often look the other way on. But it’s not often a supported service,” Orans says.

In his view, IP tracking is not something his clients are “freaking out” about. “There’s a much bigger threat posed by malware … and pulling confidential information off banking cookies. All that stuff is a much bigger risk for people,” Orans says.

The researchers say they are surprised Skype and Microsoft have yet to solve the problem. Ross, the Polytechnic Institute researcher, says Skype has likely not fixed the vulnerability because it may be “deeply embedded in the code” and might require a “heavy restructuring.”

The process of fixing the security flaw in a platform used by hundreds of millions of people could be risky. “You can introduce new bugs and problems,” he said.

It's very simple to find out any topic on web as compared to books, as I found this post at this website.

9:41 pm March 1, 2013

emlak yazIlImI wrote:

After looking into a number of the articles on your website, I honestly like your way of writing a blog. I saved it to my bookmark website list and will be checking back in the near future. Please visit my website as well and let me know your opinion.

Deloitte Touche Tohmatsu Limited's fourth annual Millennial Survey reveals the business activities and outcomes members of Generation Y would prioritize if they held leadership positions. In highlighting millennials' priorities, the survey results draw attention to this generation's values and the themes large enterprises should speak to if they wish to attract and retain members of this rising workforce.